post-auth section in FR v2.1.12
I am using EAP-TLS and I am trying to use post-auth section to dynamically assign (based on the ldap group membership) vlan ID to the user. Leaving the LDAP part away for testing purposes and concentrating just on the post-auth section - I cannot make FR to override VLAN ID in post-auth section. Here is the config: post-auth { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "36" } exec Post-Auth-Type REJECT { attr_filter.access_reject } } And nothing happens here: .... # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[reply] returns noop ++[exec] returns noop Sending Access-Challenge of id 127 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "36" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd55884fdd75c9555353e80afe21cb577 Finished request 6. .... But it finally ends with this: ..... Sending Access-Accept of id 128 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "84" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Cisco-AVPair += "XXX" EAP-Message = 0xXXXX Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "XXXX" Finished request 7. Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section? 2) Can you explain the aim of "Sending Access-Challenge" ? 2) Where is the best place to authorize users in LDAP while using EAP-TLS? Is it post-auth? ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load jinx
gabriel_skupien wrote:
Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section?
It should. But you should really also try 2.2.5, as 2.1.12 is four years out of date.
2) Can you explain the aim of "Sending Access-Challenge" ?
That's how the protocol works.
2) Where is the best place to authorize users in LDAP while using EAP-TLS?
That depends on what you're doing.
Is it post-auth?
For you, yes.
ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load
List "ldap.authorize" in the "post-auth" section. Alan DeKok.
Dnia 10 czerwca 2014 17:58 Alan DeKok <aland@deployingradius.com> napisał(a):
gabriel_skupien wrote:
Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section?
It should. But you should really also try 2.2.5, as 2.1.12 is four years out of date.
2) Can you explain the aim of "Sending Access-Challenge" ?
That's how the protocol works.
2) Where is the best place to authorize users in LDAP while using> EAP-TLS?
That depends on what you're doing.
Is it post-auth?
For you, yes.
ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load
List "ldap.authorize" in the "post-auth" section.
Thanks Alan! That is working fine but.... I do not want to use "ldap.authorize", I would really prefer to use LDAP-Group - ideally in "switch" statement but it seems that it is not supported in FR 2.X. Bulk of if/else statements is also a bad idea because we use dozens of LDAP groups and that will for sure result with LDAP server overload. Any idea? ps. a pure "update reply" without "if" statements is also working, the problem was that I tried LEAP, when I switched to EAP-TLS it started to proces "update reply" section. Gabriel
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gabriel_skupien wrote:
I do not want to use "ldap.authorize", I would really prefer to use LDAP-Group - ideally in "switch" statement but it seems that it is not supported in FR 2.X.
No. In v3, though, the LDAP module caches the LDAP groups. So it's much faster.
Bulk of if/else statements is also a bad idea because we use dozens of LDAP groups and that will for sure result with LDAP server overload. Any idea?
Use v3.
ps. a pure "update reply" without "if" statements is also working, the problem was that I tried LEAP, when I switched to EAP-TLS it started to proces "update reply" section.
OK. Alan DeKok.
Thanks for your feedback. The last question, can we configure ldap module to make ldapsearch support for referrals/aliases? Gabriel Dnia 11 czerwca 2014 15:41 Alan DeKok <aland@deployingradius.com> napisał(a):
gabriel_skupien wrote:
I do not want to use "ldap.authorize", I would really prefer to use LDAP-Group - ideally in "switch" statement but it seems that it is not supported in FR 2.X.
No. In v3, though, the LDAP module caches the LDAP groups. So it's much faster.
Bulk of if/else statements is also a bad idea because we use dozens of LDAP groups and that will for sure result with LDAP server overload. Any idea?
Use v3.
ps. a pure "update reply" without "if" statements is also working, the problem was that I tried LEAP, when I switched to EAP-TLS it started to proces "update reply" section.
OK.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am sorry but I think that my question was not unambiguous. In fact I wanted to ask about alias dereferencing (that's something different than referrals) support? Dnia 12 czerwca 2014 15:09 Alan DeKok <aland@deployingradius.com> napisał(a):
gabriel_skupien wrote:
Thanks for your feedback. The last question, can we configure ldap module> to make ldapsearch support for referrals/aliases?
The LDAP module already follows referrals.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 Jun 2014, at 07:55, gabriel_skupien <gabriel_skupien@o2.pl> wrote:
I am sorry but I think that my question was not unambiguous. In fact I wanted to ask about alias dereferencing (that's something different than referrals) support?
Dnia 12 czerwca 2014 15:09 Alan DeKok <aland@deployingradius.com> napisał(a):
gabriel_skupien wrote:
Thanks for your feedback. The last question, can we configure ldap module> to make ldapsearch support for referrals/aliases?
No, alias dereferencing does not appear to be configurable in v2.x.x, nor will it ever be. The libldap default is 'never', so it's not on by default. v3.0.x HEAD which will shortly become 3.0.4 does support it however, so if you need it I suggest you upgrade. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
You are doing this in the default server (and editing the right config file) and not the inner-tunnel, yes? Full debug with radiusd -X as per docs would be very helpful alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (4)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
gabriel_skupien